From 7fd30fa90f08efebcf79daf5a40c48cfb57bee9a Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Mon, 10 Dec 2018 22:14:53 +0800 Subject: [PATCH] Enforce referrer-policy in WebUI This stops leaking private data to other websites via Referrer header. --- src/base/http/types.h | 1 + src/webui/webapplication.cpp | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/base/http/types.h b/src/base/http/types.h index 464e53920..a38e3d328 100644 --- a/src/base/http/types.h +++ b/src/base/http/types.h @@ -52,6 +52,7 @@ namespace Http const char HEADER_HOST[] = "host"; const char HEADER_ORIGIN[] = "origin"; const char HEADER_REFERER[] = "referer"; + const char HEADER_REFERRER_POLICY[] = "referrer-policy"; const char HEADER_SET_COOKIE[] = "set-cookie"; const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "x-content-type-options"; const char HEADER_X_FORWARDED_HOST[] = "x-forwarded-host"; diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp index b16a466c2..dac8f155f 100644 --- a/src/webui/webapplication.cpp +++ b/src/webui/webapplication.cpp @@ -570,9 +570,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons if (m_isHttpsEnabled) { csp += QLatin1String(" upgrade-insecure-requests;"); } - header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); + if (!m_isAltUIUsed) + header(Http::HEADER_REFERRER_POLICY, "same-origin"); + return response(); }